Renewing ADFS 2.0 Certificates in SharePoint 2013

First export your certificate(s) from ADFS.

Log in to AD FS 2.0 Management.  Under “Service”, select “Certificates.”  Find the primary token-signing certificate (the new one you want to renew).  Double click on it, under “Details”, click the “Copy To File” button.  Follow the steps to export it (Choose not to export the private key).  If the certificate has a parent, you may also need to double click on the certificate you are exporting, and export the parent as well.

Copy the certificate(s) to your SharePoint 2013 Server.

From the SharePoint 2013 Management Shell:

Type:

Get-SPTrustedRootAuthority

Find the “Id” for the Trusted Root Authority (certificate you want to update):

Be sure you are selecting the correct Id, and not the Id for the “local” self signed SharePoint certificate.

Next, import the certificate:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("c:\newcert\adfs-new.cer")

Then, update the TrustedRootAuthority certificate using the Id you noted above for the “Identity”:

Set-SPTrustedRootAuthority -Identity "da3a4018-993b-4fac-9c31-7ba86ae03114" -Certificate $cert

(You may need to repeat the above steps for the parent cert, if you are updating that as well.)

Check your work, by typing:

Get-SPTrustedRootAuthority

Note the dates for your cert(s) to see if it is current.

Finally, you will also need to update the Trusted Token Issuer.

Type:

Get-SPTrustedIdentityTokenIssuer

Note the name for your trusted token issuer.

Using the Name noted above, update the certificate using the following:

Set-SPTrustedIdentityTokenIssuer "adfs20" -ImportTrustCertificate $cert

Finally, verify your work:

Get-SPTrustedIdentityTokenIssuer

Try logging in.  If all goes well, you’ve earned yourself a coffee.